Hot Topics
Application Security Cybersecurity Security Boulevard (Original) 

Veracode’s State of the Union 2022 – Techstrong TV

Avatar photo by Alan Shimel on September 16, 2022

Chris Wsyopal, CTO and Co-Founder of Veracode, and Alan discuss Veracode’s continued growth, recent state of enterprise software survey results, and the appsec market conditions. The video is below followed by a transcript of the conversation.

Alan: Hey, everyone. Welcome to another Tech Strong TV segment. I’m really happy to be joined by my friend Chris Wysopal, one of the Chris’s from Veracode. I think was just two or three weeks ago, we had Chris Eng on…

Chris Wysopal: Yeah.

Alan: …talking about these year’s Veracode State of Security survey. Chris is now going to give us, Chris W. is now gonna give us a little bit more insight into the state of Veracode rather than the whole State of Security. Hey Chris, welcome back to Techstrong TV. You look well. Hope everything’s good. 

Chris Wysopal: Yeah. Hi, Alan. It’s good to be on your show again here. It’s always great to talk with you. 

Alan: Absolutely. So let’s talk. You know, what’s the old Irish, “You live in interesting times.” It’s certainly been interesting times. No sooner do we start thinking this pandemic might finally be going. We have a land war in Europe for the first time in 70 or so years. And it’s crazy. 

Chris Wysopal: Yep.

Alan: But you know, security marches on. Right? 

Chris Wysopal: Mm-hmm.

Alan: As I said in the outset, you were gonna give us maybe a little bit of the State of the Union, apropos we’re recording this the day, I think the day – 

Chris Wysopal: The day of the State of the Union. Right? 

Alan: Yeah. So you’re gonna give us a little Veracode State of the Union. Why don’t we start there? 

Chris Wysopal: Yeah. Sure. So you know, you mentioned the State of Software Security report, you know, we come out that every year. You know, Veracode is part of this application security community, part of how people are securing software. So a lot of the things we see in that report, obviously it’s from Veracode’s vantage point, but I feel like we’re part of a larger, you know, we’re part of a larger hole. 

And we just see more people doing application security, more people, more organizations covering more applications, doing it with multiple tools. Not just using just static or just dynamic, but both software composition analysis. So we’re just seeing the state of what we’re doing at Veracode reflect these trends of using multiple tools, covering more apps, building it more into your SDLC. And we get to see those, you know, that those datapoints come out from that report. So I have to say that, you know, Veracode is doing well because AppSec is doing well. 

People are –organizations are really getting a handle on how to do this well by building it into their SDLC, you know, shifting left right into the into the developers IDEs, and into the building systems, into continuous integration systems, not waiting to the end. All of those things that we used to talk about like this is a best practice. We actually see, you know, organizations doing it. The same thing with open source. You know, open source usage in software development has continued to grow year after year. 

But the other thing we’re seeing is companies are making better decisions around the open source they’re using. So they’re using software composition analysis. They’re understanding what open source they’re using and the risk in it, and they’re making better decisions about which libraries to choose and also keeping those updated. You know I talked about the State of Software Security report, a great datapoint about that is three years ago when we looked at the open source the average enterprise application was using, 31 percent of the libraries they were using had a known vulnerability in it. 

Fast-forward to 2021, where and when, you know, captured our data, and only ten percent of those libraries being used have vulnerabilities in them. So it just shows that people are just making great progress in reducing risk, and that the tools are actually working and people are making good decisions.

Alan: Absolutely. And that’s good news for us all. Chris, there is a lot here I want to jump in on.

Chris Wysopal: Yes. 

Alan: First, let me first of all start off by saying absolutely, app security has grown by leaps and bounds in terms of adoption in the broad market. Right? It’s reached critical mass where, you know, it’s not just more normal than not, but it’s the best practice to do so, and then overwhelmingly. But you know, taking away your modesty, the rising tide has lifted all the boats, but Veracode’s boat lifted probably a little higher than some of the others. And it’s not that you are at a higher point to begin with though. 

Maybe Veracode was, but certainly Veracode has been one of those companies that have led this, not revolution, but has led this golden age, if you will, of application security, right, where it’s really is now mainstream, where it really is, you know, the way things get done. 

Chris Wysopal: Yeah, I think early on, you know, and I was actually just talking to people on Twitter today about, you know, the argument of should I use a SaaS tool or a DaaS tool. Like I was sharing that argument yesterday. And of course the answer is both. And we made that decision to become a multi-tool company back in 2008. So you see a lot of companies start in one place, and then they add another testing technique to cover more types of application risk that can only really be found using different techniques. And you know, so having multiple tools to cover multiple scenarios of testing, and multiple, you know, parts of the application is something that we chose early on. 

And you know, we see with our data that I think we, our data last showed that, you know, over the last three years, there’s been a 31 percent increase of our customers using multiple tools from a single tool. So I think that’s an example of, you know, we kind of got in early and said, you know, you need multiple tools. And that has helped us grow because someone will, you know, understand the dynamic. They’ll know it. They’ll want to use that kind of tool. And then when they moved to say, okay, well, now you gotta do software composition analysis, you know, Veracode has a great software composition analysis tool.

So I think the multi-technology approach, putting it together in a platform where you can have unified policies, and reporting, and analytics across all of that, as opposed to cobbling together lots of different things has helped us grow when the trend of the industry is, say, to use multiple tools. And the trend is not to discover, you know, single digits or tens of apps, but literally hundreds of apps. 

Now you need some way to govern a program that has hundreds, you know, you’re scanning apps from hundreds of teams, and that’s where the policies and reporting across a large organization comes in. So I think we were always sort of targeted towards like where is where is application security gonna be as it matures? So as it’s matured, we really, you know, benefit from that. 

Alan: Absolutely. Chris, you also mentioned software composition analysis, SCA. 

Chris Wysopal: Yeah. 

Alan: And you said, “Oh, there’s been a lot of growth in it.” Well, there wasn’t any software composition analysis in 2008 really. 

Chris Wysopal: No.

Alan: I mean there wasn’t sort of this dedicated open source, what version of the tool, of the open source you’re using and so forth. And certainly, you know, again you can’t make wine before it’s time. It doesn’t pay to get crazy with software composition analysis tools unless open source components are a big part of the applications you’re scanning. So you know, when you didn’t have that, well, of course you didn’t need SCA. 

But as the percentage of open source components, or the percentage of code and applications are open source, you know, modules if you will, or components, has continued to rise, we needed something that tested for that. Right? And it’s given rise to this whole, you know, there was the SaaS, the DaaS, the IaaS, or IaS, now SCA is, you know, is on equal footing with them. 

Chris Wysopal: Oh, absolutely. I think that Heartbleed was the big wake-up call that you could have this critical vulnerability in your organization from an open source library you’ve used. I think that was a big wake-up call. But the one that really pushed everyone to want to do this was the Struts 2 vulnerability that hit Equifax.

Alan: Yep.

Chris Wysopal: And everyone was like, oh no, like we could lose hundreds of millions of dollars if we don’t manage it properly. Right? That was a situation where, you know, they knew they were using it. They just didn’t figure out all the places they were and patch them in a timely way because they just didn’t have the right information, and the right process. And that was a huge inflection point. And I think log4j is obviously the latest inflection point. But I think we’ve kind of already, we’ve already arrived with SCA being up here with things like static and dynamic analysis as far as an AppSec program goes. 

I would even recommend, you know, before doing static and dynamic at SCA, if you’re doing dynamic or just static. Because it’s, like you say, it’s when there’s a huge percentage of your app is made up of open source libraries, that’s where your risk is. And our latest data software security report, we looked at the percentage for different languages, and Java being the most mature language and also the most mature open source library ecosystem, 97 percent of the average job app is libraries, which is just absolutely crazy. Because it’s such a rich ecosystem people, people are just writing business logic. Right? 

Alan: Yeah. 

Chris Wysopal: No one’s writing/rendering stuff to screens, or you know, sorting, I mean.

Alan: I mean to be fair, why should they? 

Chris Wysopal: No, it’s already been done. 

Alan: I mean why would you reinvent the wheel? 

Chris Wysopal: Why would you write a logging utility. Right? Just put in log4j. Right? [Laughter] 

Alan: Well, so that’s a good segue into the next thing I wanted to talk about, which is supply chain. Right? So the downside of it is, and we learned this in the real world with, you know, personal health equipment. Masks. When all of your masks come from China. And China can’t get you masks, you don’t have any masks when you need them. If all of your, you know, logging functionality is provided by one app, and that app all of a sudden has a bad vulnerability, or a design flaw, whatever you want to call it, you don’t have alternatives. 

So I think there’s a balance between relying on one provider or one solution versus having to reinvent the wheel over and over. I guess in a perfect world, I’d want several logging, good logging, you know, solutions at my fingertips.

Chris Wysopal: Yeah, well, this is the old argument of sort of the, you know, having an operating system monoculture versus having multiple…

Alan: Yeah. That’s exactly right. Yep.

Chris Wysopal: … operating systems. Which back in my app state days, Dan Gear got into some trouble for writing a paper talking about how it’s actually a national security risk that the government is…

Alan: I remember the paper. 

Chris Wysopal: …a single –. Now that’s less so today because Linux has really blossomed, and there’s lots of different flavors of Linux too. And of course Microsoft has gotten a lot better in security from when that paper was written. But it is that argument like you put all your eggs in one basket and really guard that basket, well, you distribute your eggs around and maybe lose egg, but don’t lose the whole basket. You know, it’s an age-old risk trade off that we have, you know, information security. 

I think one of the things that, you know, that having multiple versions of stuff, I find problematic because it’s harder to manage. And people can move laterally really well. They’re not just taking the one egg. They’re taking the one egg, and they’re finding their way to the other eggs. So you know, I still think you know having one you know logging utility that you rely on is okay as long as you picked a good one, you know, the project is well managed, up-to-date. 

You know, they respond quickly there’s people there to fix flaws when they’re reported. And you have a system that you can upgrade quickly. So yeah, I think that is the all eggs in one basket, but you just got to pick a good basket and guard it well. 

Alan: So in real life, IRL, right, that choice is made by the market, sort of the market decides… 

Chris Wysopal: Yeah. 

Alan: …what’s the best solution, and hopefully they’re taking, you know, these factors that you’re mentioning into account. It’s not just that it’s free, or it’s easy, or it’s what everyone else is – in some cases, it is what everyone else is using. But you know, people are investigating is a project maintained? Do they updated it often? Is there’s someone there, you know, when you got to pull the fire alarm at 3:00 a.m.? But with other people, and I think with a lot of software, it’s, yeah, no, this is the most popular one. That’s what we’re using. And I don’t know if they investigate beyond that. 

Chris Wysopal: So there is some work going in the OSSF, the Open Source Security Foundation around, you know, measuring project health and publishing that, but also measuring, I think there’s a census coming out today on the most popular open source libraries that Harvard’s been working. And so that OSSF can give funding and support to the most popular projects. Right? You don’t want to, you know, if something – that was the problem with Heartbleed. 

We woke up and realized all dependent on this library that there were two people maintaining. Right? 

And so that we’re trying to not have that problem happen again that identified those projects that are widely used and are widely dependent on that are under resourced. Make people aware of that so they can move off of it if they want to, but also give them funding. Because we know a lot of people that, you know, it’s the set it and forget it mentality. If it works, you don’t need to fix it. 

Alan: Don’t fix it if it’s not broke. 

Chris Wysopal: So I think more information and more resources for the critical projects will really help that. So I think we’re really making some good progress in this ecosystem. 

Alan: Yeah. And you know, I personally have high hopes for this OSSF. I think if the industry gets behind it the right way, it’s really something we need. You know, we can’t talk about supply chain and open source though without mentioning SBOMs. Right? 

Chris Wysopal: Mm-hmm. 

Alan: That’s a that’s a big word out here for everyone today. And you know, the Software Bill of Materials. What – I mean, I don’t know. Maybe you color me stupid, but I’m thinking there should be like a Veracode product that either I have to manually enter can somehow or can somehow automate what are the third party components in my app and spit out an SBOM for me, see that? 

Chris Wysopal: No, absolutely. So we’re going to be supporting the SBOM format stats that I think it’s the IT – I forget which – the NTIA has come up with, and you know, the cycle and DX format. Because we think it’s super important that our customers that are our software vendors can, you know, use our SCA products, and then have the requisite SBOM to show their customers. And this is something that is a, you know, it’s a hard customer requirement. Our customers need this because if they sell into the federal government, very shortly that’s going to become a requirement. It is specified in the executive order.

So if you’re selling software to the federal government, you have to deliver it with an SBOM. And the thing that’s really great about the executive order is there is a lot of things in there that of course will make the government more secure, but it’s going to help the whole ecosystem be more secure. Because if, you know, a vendor has to supply this to the federal government, that means other customers can ask for it too. And I think a lot of it will just be made public, so you know, the SBOM will be publicly available. 

So that’s another good example of, you know, using supply chain security to improve the whole ecosystem. If this one consumer that’s really demanding from their suppliers, that will help all of us. And I think that’s what the federal government is doing. 

Alan: Excellent. Let me, Chris, because we’re over time already, but I feel like I took you down this way and I went off. 

Chris Wysopal: Okay. 

Alan: You know, all of this is, of course, made for good times at Veracode in terms of revenue and growth and all that. And that’s manifested itself. You guys have expanded into some new markets. Right? 

Chris Wysopal: Yes. 

Alan: You want to talk about that? 

Chris Wysopal: Yes. So over the last couple of years, we finally made the final push and we’re 100 percent in the cloud. You know, we’ve always had some stuff in the cloud you know as a SaaS company for I think six or seven years. But you know, we started off as a data center company, a SaaS company because the cloud didn’t exist when I started Veracode. But now we’re 100 percent in the cloud. It gives a great advantage to scale up. 

The other thing it makes it easy to do is make other instances. Right? We’re up in AWS. We now have an EU region. We have a gov cloud region. And this has allowed us to expand to more fully into the EU where a lot of organizations have data residency concerns, and it allowed us to expand our government business, our federal government business, and hopefully soon the state government business. I learned recently there’s a state ramp that piggybacks off of fed ramp so state governments can feel confident in the SaaS solution is meeting the federal requirements. 

So all that’s expanded the market. It shows that the market is really expanding. It’s really a global market, and I think that the federal and state and local government market is also expanding, which is which is great because, you know, we all use applications that come from other countries and they all come from our local and state governments too.

Alan: You know, I recently, I saw an article, you know, why in this great resignation are people moving out of cities and so forth? You know, what makes for a good place to live? Well, there’s the crime rate. The cost of living, you know, the usual suspects. But another element is how easy does the government – like how often do you gotta go to DMV where you live. Right? Or how much is the DMV is online? 

Chris Wysopal: Everything is online. They mail you your license renewal, etcetera. 

Alan: Yep. But there are local governments where you can’t do that. You still have to go to the DMV, and we all know what fun that is. But and that’s small potatoes. Right? Voter registration. Everything else. Taxes. Jury duty. Everything. I mean, you know, the amount of applications that local governments are in need of and are developing is huge. I mean it’s just a huge market. Of course, you know the federal, it tends to be higher dollars concentrated in one project, where in the state and locals, it can be somewhat, you know, like herding cats. But it’s a huge, huge opportunity, a huge market as well. And it’s also though right for – we gotta make sure it’s done right securely. 

Chris Wysopal: No, absolutely because you can choose what, you know, retailer, or media company, or whatever you want to, but you can’t really choose your local or state government, right, unless you move. 

Alan: Right. Yep.

Chris Wysopal: So you have to deal with it. They have sensitive personal information. Right? So it’s really important, and it’s a really good to see that state and large city governments are really getting behind application security. So I’m pretty excited about that. 

Alan: Cool stuff. Hey Chris, we’re way over time. But if people who want to find out more about Veracode, it’s Veracode dot-com. Right? V-E-R-A-C-O-D-E. 

Chris Wysopal: That’s right. And it’s linked off our homepage, but check out our State of Software Security report for, you know insights on the whole AppSec industry. 

Alan: Absolutely. Hey, it’s good seeing you. As I said off camera, I’m hoping to see you at the RSA in San Francisco in June. Maybe blackout or somewhere in the summer. If not, in Vegas. But hopefully we’re getting back to in person and we don’t have to do these over Zoom all the time.

Chris Wysopal: I’m planning on going to both. We’ll see what happens. 

Alan: Me too, but fingers crossed. Hey, say hello to all our friends at Veracode. 

Chris Wysopal: Okay. 

Alan: Good luck, man. Good job at Veracode, Chris. 

Chris Wysopal: Thanks, Alan. 

Alan: All aside. Good stuff, man. Chris Wysopal. 

Chris Wysopal: Appreciate it. 

Alan: I appreciate you, man. Cofounder of Veracode here on TechStrong TV. We’re gonna be right back. We’ll be back in a moment. 

Recent Articles By Author
Avatar photo More from Alan Shimel
Alan Shimel , ,
Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 81 posts and counting.See all posts by alan